- You had better be ready to respond to a data breach, because it will probably happen
- More companies are beginning to explore cyber insurance
- Grass-roots efforts by NAPBS members are having an impact on state and federal legislation
- The industry needs to do a better job of communicating that fingerprint records can’t replace comprehensive background checks
NAPBS held its Annual Conference September 20-22 at the JW Marriott in Austin, Texas. It was one of the association’s largest conferences ever, with 584 attendees from 307 companies, including attendees from China, Hong Kong, Canada, India, Mexico, Nepal, Northern Marian Islands, Philippines, and the United Kingdom. The conference also had 152 exhibitors and/or sponsors from 50 companies.
In addition to FCRA compliance matters, conference sessions were heavy with info on cyber security and data breach loss/prevention.
In this report:
- End-user challenges and wish lists
- State drug laws are hazy
- Disputes done right
- Are your data vendors salty?
- Expand your business horizons overseas
- The weakest link in cybersecurity
- Get your head in the Cloud
- Look at yourself like a lawyer would
- Who’s in your data breach response plan?
- You will comply
- Are your customers putting you in danger?
- New rules of the road for PSP
- Across the legislative landscape
- Large companies can have employees that are regulated by different agencies
- Hiring managers are usually more concerned with speed than risk mitigation
- The general public still has misconceptions about fingerprint records vs. background screening
The conference opened on a different note this year. Instead of a traditional keynote speaker, NAPBS Executive Director Melissa Sorenson hosted a unique end-user panel featuring representatives from two giant global security/military contractors and a major financial services firm, all involved with very specialized background screening processes. They were there to share their individual challenges and what they look for in screening partners.
They all agreed that the secret for HR is to find the right balance so that screening accuracy is not sacrificed for faster turnaround times. That can be especially challenging when dealing with hiring managers who are more motivated with filling positions than risk mitigation. Privacy laws are also a major concern, especially when dealing with third-party contractors who have to handle highly-sensitive security information.
When asked for their screening “wish lists,” one panelist said he’d like more ability to manage compliance requirements since his employees may be subject to regulators from multiple federal agencies. Another panelist said he’d like to see the association create a “best practices” accreditation program for employers, similar to the accreditation program that NAPBS currently offers consumer reporting agencies. The third panelist said he’d like better visibility into the status of individual screens, joking that he can see where his pizza is after he orders it so why not have the same ability for an ordered search?
The group took questions from the packed room. One response which drew universal applause came when a panelist was asked about the use of fingerprint records. He said that administratively, they are more trouble than they’re worth and the entire screening industry needs to do more to communicate that fingerprint records are nothing more than arrest records and can’t provide the complete candidate background picture.
State Drug Testing Laws: What Every Drug Testing Professional Should Know
- Every state allows some type of drug testing
- There are no two states with exactly the same laws
- Federal laws preempt state laws
- Litigation against the science of drug testing is obsolete – the practice is proven
Bill Current with Current Consulting led this session, intended as a basics primer for drug testing providers for ways to educate their clients about the myriad of state laws, mandatory laws, voluntary laws, federal laws, privacy laws, medical marijuana laws, case law decisions – all the things that can affect a drug screening policy.
Bill briefly covered the Department of Transportation’s (DOT) rule, 49 CFR Part 40 which describes required procedures for conducting workplace drug and alcohol testing for the federally regulated transportation industry. He also discussed the case Coats vs Dish Network 2015, in which a quadriplegic employee legally using registered medical marijuana was fired after testing positive for it. Even though his use was consistent with the laws of the state, the Colorado Supreme Court ruled against him, finding that employees can still be fired because marijuana remains illegal in the eyes of the federal government.
Don’t Bungle Your Last Chance Before a Lawsuit: How To Get Disputes Right
- Take advantage of opportunity when facing a dispute to get the information corrected and issues resolved as quickly as possible.
- Remember that disputes have a purpose. If a dispute is started, stop any adverse action and ensure the employer understands what’s going on.
- With all documentation and written communications, write as if your audience were potentially a jury. Ask how the text would be interpreted?
Scott Paler, an attorney and partner at DeWitt Ross & Stevens, gave an engaging lecture to a full room discussing how disputes should be handled. He started the discussion with the concept that the dispute process is more of a gift than a burden because it is the last stop before a lawsuit.
To take advantage of the dispute process, Scott said it is important to keep response times as short as possible in order to show the consumer that you are both professional and care about his dispute. Any adverse action should stop the hiring process immediately and employers should be educated in the dispute process. He recommended a follow-up with the consumer to reiterate the dispute in writing to provide both documentation and clarification. In addition to written communication, he also recommended taking notes regarding any action or interaction dealing with the dispute.
Consumer Reporting Agency Requirements from Day 1 to 1,000,001
- Do not hinder the start of a dispute; open a dispute as soon as possible to start the process.
- Be careful with automated adverse action or flagging, which potentially only adds liability.
- Failure to test/validate your vendors could result in repeated disputes from the same vendor, which could be considered willfulness to report incorrect information.
- Take every reasonable action to provide accurate information and to have procedures in place to ensure best practices are being followed.
Pamela Devata, a partner in Seyfarth Shaw, reviewed some suggestions for best practices for CRAs to another packed room. She said it is important to set up rules for duplicate information and to prevent inaccurate information from being reported more than once. Flags may be used to grab a user’s attention; however, make sure the flags are legal and do not sway users from following proper procedure.
“Salting” vendors, and providing scripts for verifications are both good practices to assist with preventing lawsuits. By salting vendors (running the same searches through multiple vendors), information can be validated and tested against other providers, ensuring accurate information. When verifications are being performed, it can be helpful to provide scripts to ensure that questions are legal and relevant.
Selling International Background Services Made Simple
- There are 200 countries and territories utilizing screening.
- All countries maintain criminal records; it’s just a matter of how you obtain them.
Ed Etzel with NetForce Global said that more CRAs could be working with foreign markets. He set out to clear up some myths about selling international background screening.
Myth 1: International background screening is too difficult to learn and understand
The concepts of acquiring international criminal, credit/education and employment information have many similarities to the information acquisition in the US.
Myth 2: It is not possible to obtain reliable information in foreign countries
Ed said all countries maintain some form of records for criminal, etc., but you must utilize the appropriate resource for a particular country. Country-specific customs and social norms can determine the types and comprehensiveness of information that can be obtained and transferred out of country. Data privacy laws in some cases restrict the acquisition or use of information.
Myth 3: International screening is too expensive
Ed said that since demand for international data has grown significantly over the past few years, a high percentage of countries have focused on automation and bringing the acquisition costs down.
Myth 4: Information gained from international searches is notoriously fallible and less reliable
Countries have dramatically improved record-keeping technology, while paper and pen record keeping is fading fast. There are more record searchers worldwide performing more searches today and quality is becoming a differentiation.
Myth 5: International screening takes too long
Turnaround times for criminal searches currently averages about 6 days for the 20 most commonly requested countries. Automation allows for 24/7 data collection worldwide in developing background screen reports. Processes to accommodate retrieval of information has been streamlined in many countries.
Myth 6: Derogatory information is never found
Historically, the hit rate for international searches is extremely low in comparison to domestic searches. In many instances, a person cannot leave their country for the United States if they have a criminal record. Different countries also have differing reporting priorities. For example, in India, derogatory information for criminal cases is low, but derogatory information regarding education and employment is high. In Canada, the exact opposite is true.
Myth 7: Criminal records are not legally available
Through hearsay or improper guidance, a specific country search can sometimes be deemed as not available when, in fact, the reverse is true. Country laws or practices are frequently misinterpreted. Occasionally, country laws and practices are different for applicants residing in-country versus out-of-country.
Cyber Security: Trends, Threats and Best Practices
- Executives are being personally sued for breaches.
- Weakest link = stolen userid/password
Aurobindo Sundaram with RELX Group gave some real-world examples of how the threat of cyber attacks has spread to the entire computing world, causing financial losses to businesses and consumers and placing new accountability on IT departments and company executives.
Examples of breaches:
- The now-famous Target breach: a third-party contractor had their login credentials compromised.
- JP Morgan: despite a $250 million security budget and 1,000 people in the security department, a stolen user ID and password from a third-party vendor led to the identity theft of 76-million individuals.
- Anthem BCBS: a breach there cost the company more that $100-million and led to lawsuits against senior officers.
Sundaram said that no matter what you do, intrusions will occur. He noted that encryption will solve some problems but won’t protect data if login credentials are stolen (the most common method). He suggested that companies focus on a holistic program that includes system monitoring, segregating information, and multi-factor authentication while adopting a “best-practices” standard such as ISO 27001, NIST, etc. He also recommended implementing logging programs and algorithms that look for unusual transaction activity and raise alerts.
Cloud Computing: What You Really Need to Know
- Even though software is in the “cloud”, you should still do your due diligence when choosing software.
John Kloos with BackChecked made many of the technical cloud computing buzzwords understandable to the average non-techie.
He said “cloud computing” is really just a marketing term. Basically, it means that applications are on the Internet in 3 types:
- IaaS: Infrastructure as a Service – data center and hardware
- PaaS: Platform as a Service – operating system, database, and data center/hardware
- SaaS: Software as a Service – apps, deployment, operating system, database, and data center/hardware
For the screening industry, when shopping for a SaaS provider, Kloos said you must do your due diligence:
- Ask for references
- Do a background check on the company
- Check for insurance
- Examine their security policy
- Look for data center’s SSAE-16 SOC2 Type 2 certification
- Ask about PCI scan reports
- Check out Terms of service – who owns the data, etc.
- Review access & control policies – IP whitelist, Multi factor authentication, etc.
Identifying Compliance Priorities By (“Hold Your Nose!”) Thinking Like A Plaintiff’s Attorney
- Look at your business from the perspective of a lawyer that is trying to create a Class Action suit against you.
- To build on the Class Action suit, you need to look at the lowest hanging fruit: business processes that you routinely perform on the searches that could possibly be deemed as faulty.
- Even though the laws look cut and dry, you should look closely at terms that could be misconstrued by attorneys.
Compliance laws are constantly evolving. As the session name implies, Scott Paler with DeWitt Ross & Stevens wanted to help CRAs evaluate their compliance policies by looking at them from the outside, through the eyes of a litigation-hungry, class-action lawyer.
What are plaintiff’s attorneys looking for when bringing a suit?
- Class-action status – there’s money in numbers
- Black-and-white technical violations – not following simple internal policies and procedures makes it much easier for a lawyer to pursue a case with little effort
- Possibility of real punitive damages –lawyers rarely take a case on principle alone
- Other plaintiff’s lawyers’ successes with similar cases – lawyers are copycats and a legal precedent make a case much more attractive
How to Prepare For a Security Breach And Respond Effectively When It Inevitably Occurs
- Encrypt all your data
- Define what is a security breach for your organization
- Update your end user agreements for liability or caps on costs
Phil Gordon with Littler Mendelson recommended was that every CRA should have a data breach/security incident response team made up of an interdisciplinary team ready to go in the event of a data breach.
What should your breach action plan be?
- Identify members of the team and assign roles and responsibilities
- Train the team for what they’ll do
- Set up a possible outside call center
- Consider an outside investigation team
- Include legal counsel
- Review consider cyber-risk insurance
Phil said that about 66% of all breaches are either human mistakes or an insider hack. He also noted another interesting fact: if all data, computers and data storage devices are encrypted, then if they’re lost or stolen, it is not a data breach or security incident that must be reported to clients.
10 Years Since Data Breach Became a Common Term: What Have We Learned and What is Coming?
“Data breach” came into the tech vernacular around 2005. What has changed since then? Ron Raether with Faruki Ireland & Cox led a discussion about using the NAPBS best practices as a resource to create a data breach response plan.
The group talked about some of the biggest weaknesses, including clicking on malicious emails and using contractors who are not aware of security policies. The data breach issue is even more pressing pressing because a company’s CIO can now be held personally responsible if a data breach occurs due to the lack of a data security plan – or the failure to follow a plan due to a lack of employee training. Ron also mentioned that companies should look into buying cyber-insurance.
Simplified Compliance Management for Screening Companies
- Compliance is top-down: all employees know their responsibility and senior management is involved
- Audit and review yourself before the FTC does
- If you have documentation of the above, the FTC will be more on your side
Becki Kuehn with Hudson Cook (and formerly with the FTC), has seen compliance law from all sides. She emphasized that CRAs need a Compliance Management System (CMS) that follows product lifespan from start to finish.
- Establish CRA compliance responsibilities
- Communicate them to all employees
- Check if the plan works
- Review/audit it regularly
She urged a formal written program to document actions. Have documentation of your rules, how/when you’ve trained employees, and how/when you’ve audited. She said the FTC will look more favorably on your case if they see that kind of documentation.
- Oversight: senior management must be regularly involved
- Compliance program: defined infrastructure, titles that don’t conflict
- Complaints: be responsive; track, log classify and analyze
- Audits: you can do it yourself, but better to use an independent firm; take corrective action before the FTC forces you
Becki said you can’t be too safe. Always send notices/get consent even if you’re not strictly required to do so. Make reports easy enough for a 7th grader to understand. Make sure duplicate records don’t look like separate charges. Finally, she told attendees that internal notes do not have to be disclosed to consumers.
Staffing Vendors & Third Parties Can Create Landmines for CRAs
- Be aware of what happens to your reports when they leave your hands (can third parties view them?)
- Ongoing cases may establish how much responsibility you have after you release records to the client
- Imagine worst-case scenarios before they happen
Lester Rosen with Employment Screening Resources led this session during which generating questions was as important as looking for answers. Lester created hypothetical scenarios to illustrate how combining CRAs and third parties can create FCRA exposure.
For example, a staffing agency may get a background report from you but share it with their client (whom you have not approved to view it). If the client makes a decision based on the background report, who will send the Adverse Action notices? Are you in compliance or at risk? Who can be sued: CRA, staffing vendor, or employer? There’s a current case with Amazon and its staffing vendor that may decide this question. Amazon uses the staffing vendor to employ in Amazon warehouses all over the country.
Another example: an HR Firm wants to sell your background reports. If they say “powered by XYZ CRA,” that’s fine. If they do not, they are now a CRA and need to be in compliance of FCRA.
FCRA Class Actions: Mechanics and Lessons Learned
- Forms/letters/FCRA rights you use in bulk need to be correct or they can lead to giant class action lawsuits
- Plaintiffs can cause giant headaches in class action suits just to force you to settle
- The law allows “strict procedures” or 613 letters but the jury will likely decide what constitutes “strict”
David Anthony with Troutman Sanders has represented CRAs in both individual and class-action lawsuits. He walked attendees through the stages of a class-action lawsuit: how many make up a “class” (usually more than about 35), how a class is certified, what actions trigger time constraints, and some legal dangers throughout the process for CRAs.
David said that pre-adverse and adverse action letters are ticking time-bombs. If they contain a mistake and you use the same one for all clients, you could be creating a huge class. Other mistakes include out-of-date FCRA rights and the failure to send a report 5 days before adverse action. He noted that the law allows “strict procedures” instead of sending 613 letters, but it will be the jury that will decide what constitutes “strict procedures” – and juries don’t like CRAs.
NAPBS Provider Guidelines: The Methods of a Certified Court Researcher
The NAPBS and the Provider Committee have a set of guidelines that have been in place and recently revised as of 2014. The NAPBS offers a Research Provider Exam (details can be found at https://www.napbs.com/education/providers.cfm). The goal is for both Providers and CRAs to be aligned in their answers. Six of the most discussed questions from the exam along with the results from both providers and CRAs were analyzed. By evaluating these six questions, the goal was to identify the differences between their answers. Differences ranged from less than 10% and over 20%. Education and communication improvements will be implemented between these two groups to reduce the gaps.
Pre-Employment Screening Program (PSP) Mandatory Driver Disclosure and Authorization
Recently, the Federal Motor Carrier Safety Administration (FMCSA) adjusted disclosure and authorization requirements for the Pre-Employment Screening Program (PSP). Ilya Krifman with NIC Federal went through some of the changes.
The primary news is that the PSP forms are going to change based on the new FCRA compliance rule that the disclosure and the authorization form needs to be separated. There is no firm date for the new forms to go live yet, nor is there is a cut-over date established for when the new form will be absolutely mandatory. FMCSA has decided it will offer a “grace period” approach, where the old forms will still be legal for about 6 weeks in order to help ease the transition. New contracts with amended language will need to be signed by any CRA using PSP in order to acknowledge the understanding of the new requirements.
- There is no slowing of proposed legislation dealing with background screening
- NAPBS members are having an impact on lawmakers
Jamie Tucker with Akin Gump used this session to update the legislative scoreboard. At any given time, Akin Gump is tracking almost 700 pieces of legislation at the federal or state level, some of which is in the planning stages, some already introduced, and some awaiting votes. This patchwork of laws can create complicated compliance issues for CRAs.
Jamie outlined some of the major 2015 “hot spots” they’re working to influence such as a tenant screening bill in California, employment credit screening bills in Massachusetts and New Jersey, a “direct relationship” bill in New York (dealing with the applicability of a past crime to a current employment application), and a Ban the Box bill in Ohio.
He also had the opportunity to put some notches in the “Win” column: bills dealing with ridesharing, an expungement bill in Virginia, a youth sports bill in Colorado, a salary history bill in California, and a 7-year gaming bill in Nevada.
Jamie recounted how he had cited Texas as the “trouble child” during the mid-year conference because of several onerous bills that were moving through the state legislature. But when NAPBS mobilized its members, those legislators received more than 7,500 e-mails within 48 hours. The bills were ultimately defeated, but Jamie noted that even bad bills tend to rise from the ashes in subsequent legislatures, so the vigil continues.
We’ll see you in DC in April!